The Administrative Appeals Tribunal upheld an earlier decision awarding a smaller payout of $36,000.

The decision was made after a poorly-redacted document was made available on the Comcare disclosure log as well as on an internal Defence server for more than a year across 2011 and 2012.

The army officer, who has more than 40 years of service had reached the rank of Major, was diagnosed with terminal lung cancer in 2002. She was concerned that through her work she may have become part of a cancer cluster, and through her solicitors asked Comcare to investigate whether her employment had caused or contributed to her illness.

That report was then subject to a freedom of information request by the officer's solicitor, and when it was provided to the solicitor it was also placed on the agency's disclosure log in a redacted form.

The redactions were not made properly though, meaning the officer's full name, address, date of birth and extensive medical records were included and available to the public. It was also placed in a folder on the Defence Records Management System that was available to be accessed by almost 1300 staff in the officer's division.

The privacy breach only became known once the documents had been online for more than a year, when an employee of the division used the report and provided a link in an email sent to the whole division in response to another staff member's concern about the possibility of a cancer cluster at the Victoria Barracks in Melbourne.

In the original decision made in 2017, Comcare was ordered to pay $20,000 in non-economic damages, plus $3000 in legal costs, and Defence was ordered to pay $10,000 in non-economic damages plus another $3000 in legal costs.

The officer argued in the new case that aggravated damages should be awarded due to the way Defence had handled removing the document, also accusing the army of trying to force her out of the organisation because of the way she reacted to the privacy breach.

However, according to the Administrative Appeals Tribunal, evidence of malice on the part of staff at Defence around the availability of the document "is thin, to the point of invisibility".

But other allegations made, that a senior member was patronising and unsympathetic about the privacy breach, and that another made an inappropriate comment telling her not to "neck herself" were accepted.

The tribunal Deputy President Gary Humphries found no link between attempts to terminate her employment and the privacy breach, rejecting an application for damages for future economic loss.

UPDATE: This article has been updated to clarify the freedom of information request was made by the officer's solicitor, not the officer.